CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-33992 – Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA
https://notcve.org/view.php?id=CVE-2023-33992
11 Jul 2023 — The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level. • https://me.sap.com/notes/3088078 • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 2%CPEs: 11EXPL: 3CVE-2021-21466 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21466
12 Jan 2021 — SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module over the network. Via the function module an attacker can create a malicious ABAP report which could be used to get access to sensitive data, to inject malicious UPDATE statements that could have also impact on the operating system, to disrupt the functionality of the SAP system which can thereby lead to a Deni... • https://packetstorm.news/files/id/167229 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 12EXPL: 3CVE-2021-21465 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21465
12 Jan 2021 — The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system. La Interfaz de Base de Datos de BW permite a un atacante con pocos privilegios ejecutar cualquier consulta de la base de datos diseñada, exponiendo la base de... • https://packetstorm.news/files/id/167229 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 3CVE-2021-21468 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2021-21468
12 Jan 2021 — The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table. La interfaz de Base de Datos de BW no lleva a cabo las comprobaciones de autorización necesarias para un usuario autenticado, resultando en una escalada de privilegios que permite al usuario leer prácticamente cualquier tabla de la base de datos The SAP application server ABAP and ABAP Platform are suscepti... • https://packetstorm.news/files/id/167229 • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 0%CPEs: 14EXPL: 0CVE-2020-26838
https://notcve.org/view.php?id=CVE-2020-26838
09 Dec 2020 — SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availabili... • https://launchpad.support.sap.com/#/notes/2983367 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •